分享
 
 
 

怎样黑进Microsoft:循序渐进指南

王朝other·作者佚名  2006-01-08
窄屏简体版  字體: |||超大  

How you hack into Microsoft: a step by step guide

By: [url=mailto:thomas.greene@theregister.co.uk]Thomas C Greene in Washington

Posted: 31/10/2000 at 12:42 GMT

Microsoft's recent sacking at the hands of unskilled malicious crackers has engendered a vast cloud of false scent from company flacks, who in past days have progressively shrunk their damage assessments. According to company sources, the intruders had access for only 12 days, not six weeks as first reported, and did not corrupt any software in development.

Others note that, twelve days or not, the intruders can't have helped stealing the source code for the new versions of Windows ME/2K and Office, and might well have implanted back doors, laying the foundation for easy remote exploitation once the finished products reach the marketplace.

So, were the walls of the castle breached? Was the digital diadem of William Perfidious defiled by the grubby hands of the unwashed? Or did a handful of malicious kiddies manage nothing more than to give the Kingdom of Gates a scare? We don't pretend to know; but we're going to walk you through the likely steps the intruders would have taken, and let you decide how much damage they might, or might not, have done.

Barbarians at the gate

Network security becomes increasingly difficult as point-and-drool cracking tools proliferate. So many painfully easy-to-use appz have been developed in recent years that persistence is now a far more reliable predictor of success than skill: even a newbie cracker can succeed by using pat scripts and casting his nets wide enough.

The Microsoft intrusion was almost certainly not the work of elite hackers; if it had been, we would not now be reporting it. What we're going to detail below is how a fool can (and did) sack the Magic Kingdom.

Everything the newbie cracker needs to break in to the Microsoft Developers' Network is readily available on the Web following a brief search. Here's how you go about it: First, you'll download a Trojan which can be distributed via e-mail. QAZ, which was used in the M$ attack, is a fine choice because it will automatically copy itself throughout shared folders on a LAN. It's a malicious backdoor program masquerading as the familiar Microsoft utility Notepad.

Once activated, QAZ searches for notepad.exe and copies itself in place of the standard Notepad file, while simultaneously re-naming it note.com. The beauty here is that when someone executes their Trojanised Notepad, it also launches note.com, or the original Notepad, so the application appears to behave normally to the user. It then searches the entire LAN for additional copies of notepad.exe to infect.

To get it implanted on a LAN in the first place, you need to feed it to someone dense enough to execute it. It's easy enough to distribute as an e-mail attachment, but not everyone will fall for it. Thus there are two chief obstacles to getting started, neither of which is terribly difficult to overcome.

First there is social-engineering - that is, baiting the victim. The wording of the e-mail message has got to make executing the attached program both desirable and sensible. Presenting it as a software patch or upgrade is a common stratagem, though there are others. Zipping it and naming it PornCollection.zip or DirtyJokes.zip is another.

If the e-mail message makes sense in context of the attachment, and if it's sent to enough potential victims, the combined laws of probability and human nature ensure that some dumb bastard will activate the payload. And with QAZ, you only need one victim; it will propagate on its own.

Your second obstacle is anti-virus software. Not a tough one either, despite all the glowing claims of heuristic genius touted by anti-virus vendors. We took several of the most popular Trojans: Back Orifice, SubSeven, NetBus and Hack'a'Tack, and first verified that our copy of Norton AntiVirus would detect them, both as-is and zipped. We then compressed them using a sweet little developer's tool called NeoLite and ran Norton AntiVirus again.

Not one Trojan was detected, because NeoLite alters the signatures used by anti-virus manufacturers to identify malicious code. Only the Trojan Deep Throat, which we received already compressed by NeoLite, was detected, presumably because it's usually distributed in that form and its compressed signature is known. And the beauty of NeoLite is that it's self-extracting. No third-party software like WinZip need be loaded on the victim's machine for the compressed programs to be executed.

On the inside

Once you've managed to infect a machine on the target LAN, QAZ will e-mail you the IP automatically, activate WinSock and wait for a connection on port 7597. Simply check your mail, connect, and, voila, you're in. We're assuming you have the sense to use a Web-based e-mail account for QAZ to communicate with, which you will have opened with fictitious personal data, and that you know the basics of concealing your computer's IP.

Now you'll need to swim around inside the LAN sharkwise until you find yourself a nice, juicy target. Be patient; as the Trojan spreads, more machines will come on-line for you to connect to. Check them all thoroughly. What you're looking for is a box to which you can connect directly, and which is trusted by your ultimate target - some machine with valuable data on it.

You can pretty well assume that any box containing real treasures will be protected by a firewall. You probably won't be able to connect directly to it with a Trojan, but that's all right. There are other machines on the LAN which your target box will trust. So find out which of the boxes to which you can connect might themselves be plugged into something sweet, like another box with the source code for Win-2K, par example. The strategy here is to leapfrog from machines which you own, to the one you want to own.

Where do you want to go today?

Now you've got access to a machine with interesting, valuable data. Let's say it's on the MS Developers' Network, and contains the source code for Win-2K. What's your next move?

It would make sense to download the code first so that if you're suddenly discovered and shut out, you'll at least have something to show for your efforts. Source code is jealously guarded and of course extremely valuable to Microsoft's competitors. Owning it can be immensely profitable for you, especially if you know a sleazy development house in a country with virtually no piracy enforcement, like in Russia, say, or anywhere in East Asia.

You might also wish to implant malicious code of your own in the source to make it easy to exploit once it reaches market, or, alternatively, examine it closely for weaknesses already coded into it, to get a jump on the competition once it ships. A lot of valuable data gets served up on these products; merely knowing where the weaknesses are before the security industry catches on can lead to considerable riches.

So how difficult would that be? Obviously, profiting from such an intrusion requires skill; though as we've illustrated, getting inside the network is child's play. You might be a dangerous cracker, and one so clever that as part of your social-engineering strategy you've deliberately opted to use common tools and techniques to conceal your true, terrifying capabilities. But then again, you might not.

More likely you're a young fool with virtually no skills and little ambition, snapping up toolz and appz from the Web and feeling your way blindly towards the cracker pantheon. You'll do no harm because you don't know how to do harm, but you'll think quite highly of your insignificant achievements. You'll recall your modest exploits with fondness, boast about them in IRC h4x0r chatrooms hoping to impress some k1dd13 even lamer than yourself, and get busted by one of the hundreds of Feds who regularly hang out in these venues.

And that, more than anything, is what Microsoft is fervently hoping. ®

Related Stories

MS hacked! Russian mafia swipes WinME source?

Redmond strives to cram Great MS Hack back in box

MS blocks staff dial-in access after 'minor' hack

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有